Letsencrypt Official acmetool.sh testing thread for Centmin Mod 123.09beta01

BobbyWibowo · Apr 4, 2018

What is going on in here?

Code:

# ./acmetool.sh certonly-issue fiery.me

-------------------------------------------------
acmetool.sh is in beta testing phase
please read & provide bug reports &
feedback for this tool via the forums
https://centminmod.com/acmetool
-------------------------------------------------

continue [y/n] ? y

-----------------------------------------------------
updating acme.sh client...
-----------------------------------------------------
Cloning into 'acme.sh'...
[Tue Apr  3 20:17:59 UTC 2018] It is recommended to install socat first.
[Tue Apr  3 20:17:59 UTC 2018] We use socat for standalone server if you use standalone mode.
[Tue Apr  3 20:17:59 UTC 2018] If you don't use standalone mode, just ignore this warning.
[Tue Apr  3 20:17:59 UTC 2018] Installing to /root/.acme.sh
[Tue Apr  3 20:17:59 UTC 2018] Installed to /root/.acme.sh/acme.sh
[Tue Apr  3 20:17:59 UTC 2018] Installing alias to '/root/.bashrc'
[Tue Apr  3 20:17:59 UTC 2018] OK, Close and reopen your terminal to start using acme.sh
[Tue Apr  3 20:17:59 UTC 2018] Installing alias to '/root/.cshrc'
[Tue Apr  3 20:17:59 UTC 2018] Installing alias to '/root/.tcshrc'
[Tue Apr  3 20:17:59 UTC 2018] Installing cron job
10 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
[Tue Apr  3 20:17:59 UTC 2018] Good, bash is found, so change the shebang to use bash as preferred.
[Tue Apr  3 20:17:59 UTC 2018] OK
https://github.com/Neilpang/acme.sh
v2.7.8
-----------------------------------------------------
acme.sh updated
-----------------------------------------------------

-----------------------------------------------------------
[DNS mode] issue & install letsencrypt ssl certificate for fiery.me
-----------------------------------------------------------
testcert value =
/root/.acme.sh/acme.sh --staging --issue --force --dns dns_cf -d fiery.me -d www.fiery.me -k 2048 --useragent centminmod-centos7-acmesh-dns --log /root/centminlogs/acmetool.sh-debug-log-030418-201751.log --log-level 2
[Tue Apr  3 20:17:59 UTC 2018] Using stage ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
[Tue Apr  3 20:18:00 UTC 2018] Multi domain='DNS:fiery.me,DNS:www.fiery.me'
[Tue Apr  3 20:18:00 UTC 2018] Getting domain auth token for each domain
[Tue Apr  3 20:18:00 UTC 2018] Getting webroot for domain='fiery.me'
[Tue Apr  3 20:18:00 UTC 2018] Getting new-authz for domain='fiery.me'
[Tue Apr  3 20:18:02 UTC 2018] The new-authz request is ok.
[Tue Apr  3 20:18:02 UTC 2018] Getting webroot for domain='www.fiery.me'
[Tue Apr  3 20:18:02 UTC 2018] Getting new-authz for domain='www.fiery.me'
[Tue Apr  3 20:18:03 UTC 2018] The new-authz request is ok.
[Tue Apr  3 20:18:03 UTC 2018] Found domain api file: /root/.acme.sh/dnsapi/dns_cf.sh
[Tue Apr  3 20:18:03 UTC 2018] You didn't specify a cloudflare api key and email yet.
[Tue Apr  3 20:18:03 UTC 2018] Please create the key and try again.
[Tue Apr  3 20:18:03 UTC 2018] Error add txt for domain:_acme-challenge.fiery.me
[Tue Apr  3 20:18:03 UTC 2018] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-030418-201751.log

---------------------------------
 DNS mode via Cloudflare DNS API
---------------------------------
 setup TXT DNS record via Cloudflare API

It says these:

Code:

[Tue Apr  3 20:18:03 UTC 2018] You didn't specify a cloudflare api key and email yet.
[Tue Apr  3 20:18:03 UTC 2018] Please create the key and try again.

but I got both CF_KEY and CF_EMAIL filled in /etc/centminmod/acmetool-config.ini :confused:

eva2000 · Apr 4, 2018

how did you edit and populate /etc/centminmod/acmetool-config.ini ? using linux nano/vim text editors or on windows pc and text editor and uploaded to server via ftp ?

if you did the latter code be the text file format being non unix

what happens if you type command
Code (Text):
dos2unix /etc/centminmod/acmetool-config.ini
to convert the text file to right format then try

eva2000 · Apr 4, 2018

@BobbyWibowo also you run for staging test ssl cert not live as missing ending live flag
example run for test staging SSL cert
Code (Text):
./acmetool.sh certonly-issue acme9.domain1.com
example run for live real SSL cert
Code (Text):
./acmetool.sh certonly-issue acme9.domain1.com live

eva2000 · Apr 16, 2018

acmetool.sh 1.0.38

Updated to add checkdomain option to check IPv4 and IPv6 domain DNS verification and curl checks. Use for troubleshooting if your domain DNS is correctly setup.

Example output for IPv4 DNS A record only domain with IPv6 disabled.

Code (Text):

addons/acmetool.sh checkdomains

-------------------------------------------------
acmetool.sh is in beta testing phase
please read & provide bug reports &
feedback for this tool via the forums
https://centminmod.com/acmetool
-------------------------------------------------

continue [y/n] ? y
----------------------------------------------
check domain DNS
----------------------------------------------
--------------------------------------------------------------------
Checking:    mysqlmymon.com
A record:    209.141.56.102
AAAA record: not found

curl -4Ivs https://mysqlmymon.com 2>&1 | egrep 'Connected to|SSL connection using|subject:|start date:|expire date:'
Connected to mysqlmymon.com (209.141.56.102) port 443 (#0)
SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
subject: CN=mysqlmymon.com
start date: Mar 02 23:01:08 2018 GMT
expire date: May 31 23:01:08 2018 GMT
--------------------------------------------------------------------

sepulchre · May 28, 2018

I am on http right now and because of GDPR I want to switch to https.

From what I understand, using the ACME tool will make my site https with an free SSL certificate, is this correct?

And just in case, before I try it, is there anything I have to backup to be sure, so if I fuk it up, I can go back to it? Is this working with php 7.2?

eva2000 · May 28, 2018

sepulchre said: ↑

I am on http right now and because of GDPR I want to switch to https.

From what I understand, using the ACME tool will make my site https with an free SSL certificate, is this correct?

And just in case, before I try it, is there anything I have to backup to be sure, so if I fuk it up, I can go back to it? Is this working with php 7.2?
Click to expand...

PHP has nothing to do with HTTPS.

For existing sites to be safe i'd use method 3 outlined and linked at SSL - Centmin Mod Nginx + SPDY & HTTP/2 SSL Setup Guide and also mentioned in 1st post of this thread for link at Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates

But yes backing up your Nginx vhosts before hand would be good idea at /usr/local/nginx/conf/conf.d as outlined at Centmin Mod Configuration Files - CentminMod.com LEMP Nginx web stack for CentOS

sepulchre · May 28, 2018

@eva2000
I must say it was almost straightforward, nothing to be feared from.
My https works now, thank you.

One little thing though.
Step 9 tells us to do
Code:
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
to force HTTPS as default, which I did. Then I did "nprestart". But still when I visit my site using
Code:
domain.com or www.domain.com
I see the default Centmin Mod Nginx Test Page. Only when I type
Code:
https://domain.com
it works like expected.
Are there any caches involved? Do I have to wait a little longer for the DNS to renew itself?

eva2000 · May 28, 2018

Are the host.domain.com and HTTPS enabled site also on same top level domain.com ? did you enable HSTS with include subdomain too ? if you did then you're telling browsers to force HTTP to HTTPS redirected connections for domain.com and any *.domain.com subdomain as well

see Enabling HSTS for SSL for specifics
Enabling HSTS For SSL
HTTP Strict Transport Security (HSTS) header for Nginx SSL is only used for SSL certificates HTTPS based web sites if you want to force redirect all non-HTTPS (HTTP) traffic to HTTPS version of the site for a sepcific max-age time ins econds. HSTS header is disabled and commented out by default as some folks don't realise that it can mess up your site for HTTP traffic if you want to be able to use your site on both HTTP and HTTPS versions.

if SSL certificate covers subdomains
Code (Text):
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
if SSL certificate DOES NOT cover subdomains
Code (Text):
  #add_header Strict-Transport-Security "max-age=31536000;";
To enable HSTS header, uncomment and remove hash # in front of either above lines.
Click to expand...
As accessing host.domain.com is usually reserved for stats and admin pages the Centmin Mod LEMP stack owner only needs to access, you can just clear your web browser's HSTS record for the domain.com and host.domain.com so the web browser no longer redirects from HTTP to HTTPS. I posted a thread at SSL - How to clear HSTS browser cache | Centmin Mod Community specifically for this unfortunately

sepulchre · May 28, 2018

eva2000 said: ↑

Are the host.domain.com and HTTPS enabled site also on same top level domain.com ? did you enable HSTS with include subdomain too ? if you did then you're telling browsers to force HTTP to HTTPS redirected connections for domain.com and any *.domain.com subdomain as well
Click to expand...

Yes to all of your questions. I don't have any subdomains, just the one top level, but still I included in the HSTS the subdomain, too, to be sure.

eva2000 said: ↑

you can just clear your web browser's HSTS record for the domain.com and host.domain.com so the web browser no longer redirects from HTTP to HTTPS.
Click to expand...

I could but I don't expect visitors knowing how to clear HSTS records.

eva2000 said: ↑

I posted a thread at SSL - How to clear HSTS browser cache | Centmin Mod Community specifically for this unfortunately
Click to expand...

I use Firefox .

eva2000 · May 28, 2018

Google for firefox clear HSTS. That is why i warn of HSTS dangers if enabled incorrectly

sepulchre · May 28, 2018

eva2000 said: ↑

That is why i warn of HSTS dangers if enabled incorrectly
Click to expand...

Did I do sth. incorrectly? Should I remove the subdomain part as I don't have subdomains?

eva2000 · May 29, 2018

sepulchre said: ↑

Did I do sth. incorrectly? Should I remove the subdomain part as I don't have subdomains?
Click to expand...

yup

sepulchre · May 29, 2018

eva2000 said: ↑

yup
Click to expand...

It didn't solve the issue.
It seems that once you visit the page by using https, then after that domain.com redirects correctly to https.
But a fresh browser with a first visit using domain.com, still lands on the http page (nginx test page) even though the conf file is disabled for http.

eva2000 · May 29, 2018

sepulchre said: ↑

It seems that once you visit the page by using https, then after that domain.com redirects correctly to https.
Click to expand...

eva2000 said: ↑

Google for firefox clear HSTS.
Click to expand...

eva2000 · May 29, 2018

sepulchre said: ↑

But a fresh browser with a first visit using domain.com, still lands on the http page (nginx test page) even though the conf file is disabled for http.
Click to expand...

oh you mean http to https is not redirecting ?

Posted at centminmod.com/nginx_domain_dns_setup.html#httpsredirect is the correct way to set it up - pay attention to different way if you want redirect target being www version instead of non-www and vice versa and that the target version www or non-www is the only version listed in server_name for the 2nd/main server {} context.

key to testing is using 302 temp redirect first in a private incognito browser session otherwise the problems you can experience may end up being due to browser caching or 301 permanent redirects unless you clear browser cache and reboot local computer(s) and even then some web browsers don't let go of 301 permanent redirect browser cache that willingly

You can test in SSH via curl to check headers for location field (where the redirect goes) using the following commands:
Code (Text):
curl -I http://domain.com
Code (Text):
curl -I http://www.domain.com

sepulchre · May 29, 2018

Yeah, exactly.

Still same problem.

Here is my ssl-conf file:

I want https only and non-www only.

Code:

# Centmin Mod Getting Started Guide
# must read http://centminmod.com/getstarted.html
# For HTTP/2 SSL Setup
# read http://centminmod.com/nginx_configure_https_ssl_spdy.html

# redirect from www to non-www  forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
server {
   server_name www.mydomain.com;
    return 301 https://mydomain.com$request_uri;
 }

server {
  listen 443 ssl http2;
  server_name mydomain.com;
 
  ##  redirect https www to https non-www
      if ($host = 'www.mydomain.com' ) {
         return 301 https://mydomain.com$request_uri;
      }

  ssl_dhparam /usr/local/nginx/conf/ssl/mydomain.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.cer;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.key;
  include /usr/local/nginx/conf/ssl_include.conf;

  http2_max_field_size 16k;
  http2_max_header_size 32k;
  # dual cert supported ssl ciphers
  ssl_ciphers     ... ... ...;
  ssl_prefer_server_ciphers   on;
  #add_header Alternate-Protocol  443:npn-spdy/3;
  add_header Strict-Transport-Security "max-age=31536000;";
  #add_header X-Frame-Options SAMEORIGIN;
  #add_header X-Xss-Protection "1; mode=block" always;
  #add_header X-Content-Type-Options "nosniff" always;
  #spdy_headers_comp 5;
  ssl_buffer_size 1369;
  ssl_session_tickets on;
 
  # enable ocsp stapling
  resolver 8.8.8.8 8.8.4.4 valid=10m;
  resolver_timeout 10s;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.cer; 

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/mydomain.com/log/access.log combined buffer=256k flush=5m;
  error_log /home/nginx/domains/mydomain.com/log/error.log;

  root /home/nginx/domains/mydomain.com/public;

location / {
     index index.php index.html index.htm;
     try_files $uri $uri/ /index.php?$uri&$args;
}



location /install/data/ {
     internal;
}

location /install/templates/ {
     internal;
}

location /internal_data/ {
     internal;
}

location /library/ {
     internal;
} 

# xenforo 2 uncomment / remove hash from next 3 lines
location /src/ {
     internal;
}

  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  #include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

Code:

[22:41][root@ ~]# curl -I http://mydomain.com
HTTP/1.1 200 OK
Date: Mon, 28 May 2018 22:46:32 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 4074
Last-Modified: Thu, 08 Mar 2018 20:58:35 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "5aa1a3fb-fea"
Server: nginx centminmod
X-Powered-By: centminmod
Accept-Ranges: bytes

Code:

HTTP/1.1 301 Moved Permanently
Date: Mon, 28 May 2018 22:47:47 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: https://mydomain.com/
Server: nginx centminmod
X-Powered-By: centminmod

eva2000 · May 29, 2018

change from
Code (Text):
server {
   server_name www.mydomain.com;
    return 301 https://mydomain.com$request_uri;
 }
to
Code (Text):
server {
   server_name mydomain.com www.mydomain.com;
    return 301 https://mydomain.com$request_uri;
 }
You're telling nginx both non-www and www non-https port 80 redirects to non-www https port 443

sepulchre · May 29, 2018

eva2000 said: ↑

You're telling nginx both non-www and www non-https port 80 redirects to non-www https port 443
Click to expand...

Thank you very much, that solved the issue.

The thing is I remember specificially removing this on purpose to have www directed to non-www in http.
And your guide says that we should copy all redirects we have in our http version of conf file to the https version. So I did that. But it seems it was wrong to leave that part out. Sorry for the inconvenience.

eva2000 · Jul 17, 2018

Curious how many folks would like to see dual SSL certs (RSA/ECDSA) mode enabled by default for letsencrypt SSL integration in Centmin Mod 123.09beta01 ? The manual method is outlined at SSL - Nginx 1.11.0 introduces dual ECDSA + RSA SSL certificate support !. However, addons/acmetools.sh supports automated dual SSL cert issuance optionally outlined here when you use DUALCERTS='y' set in persistent config file /etc/centminmod/custom_config.inc along with LETSENCRYPT_DETECT='y'
Code (Text):
LETSENCRYPT_DETECT='y'
DUALCERTS='y'
Only issue is you're hit Letsencrypt rate limits for SSL certificate issuances sooner if you have alot of SSL certs.

rdan · Jul 17, 2018

eva2000 said: ↑

Curious how many folks would like to see dual SSL certs (RSA/ECDSA) mode enabled by default for letsencrypt SSL integration in Centmin Mod 123.09beta01 ?
Click to expand...

Me .
I have all dual cert enabled for large sites I have.

Log in / Register

Forums

Welcome to Centmin Mod Community

Letsencrypt Official acmetool.sh testing thread for Centmin Mod 123.09beta01

BobbyWibowo Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

acmetool.sh 1.0.38

sepulchre Member

eva2000 Administrator Staff Member

sepulchre Member

eva2000 Administrator Staff Member

sepulchre Member

eva2000 Administrator Staff Member

sepulchre Member

eva2000 Administrator Staff Member

sepulchre Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

sepulchre Member

eva2000 Administrator Staff Member

sepulchre Member

eva2000 Administrator Staff Member

rdan Well-Known Member

.

Log in / Register

Useful Searches

Welcome to Centmin Mod Community

Letsencrypt Official acmetool.sh testing thread for Centmin Mod 123.09beta01

BobbyWibowo Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

acmetool.sh 1.0.38

sepulchre Member

eva2000 Administrator Staff Member

sepulchre Member

eva2000 Administrator Staff Member

sepulchre Member

eva2000 Administrator Staff Member

sepulchre Member

eva2000 Administrator Staff Member

sepulchre Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

sepulchre Member

eva2000 Administrator Staff Member

sepulchre Member

eva2000 Administrator Staff Member

rdan Well-Known Member

.